You are currently viewing Temporarily Disable Defender for Endpoint
defender for endpoint

Temporarily Disable Defender for Endpoint

Sometimes I am presented with scenarios where I have to assist different IT team members with performance issues on servers and workstations. In most cases, the support teams’ goal is to rule out Defender for Endpoint as a performance bottleneck.

The process below is what I use the temporarily disable Defender for Endpoint for troubleshooting purposes:

1- Locate the device in Device – Microsoft Defender and enable Troubleshooting mode. (Allow a few minutes for the command to be pushed to the device and sync properly.)

Troubleshooting mode will be active for 4 hours.

2- On the device in question, open PowerShell as a Local Administrator and run the command:

Set-MPPreference -DisableTamperProtection $true

3- Confirm DisableTamperProtection is enabled:

Get-MPPreference | Select DisableTamperProtection

4- Open Windows Security > Virus & threat protection > Virus & threat protection settings > Manage settings.

5- Disable the settings:

  • Real-time protection
  • Cloud-delivered protection
  • Automatic sample submission

Method #2

You may not be able to disable the SENSE service. If you need it disabled, follow the steps below.

  1. Start Registry Editor.
  2. In Registry Editor, right-click the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sense subkey, and then select Permissions.
  3. In the Permissions window that opens, select Advanced.
  4. At the top of the Advanced Security Settings window, select Change next to the listed owner.
  5. In the Select User, Computer, Service Account, or Group window, type the name of your Windows user account (user_account) in the Enter the object name to select box, and then select Check Names to validate the account name.
  6. Select OK two times.
  7. In the Permissions window, select the Users group, and then select the Allow check box for the Full Control permissions.
  8. Run Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Services\Sense” -Name “Start” -Value 4

IMPORTANT!

You MUST switch everything back to its original “Enabled” state:

  1. SENSE service: Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Services\Sense” -Name “Start” -Value 2
  2. Real-time protection (Via Windows Security console)
  3. Cloud-delivered protection (Via Windows Security console)
  4. Automatic sample submission (Via Windows Security console)

Tamper Protection: Set-MPPreference -DisableTamperProtection $false

Tags: , ,